Security Content Versions Save

Release notes

New Analytics Story

• Okta Account Takeover
• Windows AppLocker
• Zscaler Browser Proxy Threats

Updated Analytics Story

• Azure Active Directory Account Takeover
• Compromised User Account
• GCP Account Takeover

New Analytics

• Okta Authentication Failed During MFA Challenge
• Okta IDP Lifecycle Modifications
• Okta Multi-Factor Authentication Disabled
• Okta Multiple Accounts Locked Out
• Okta Multiple Failed MFA Requests For User
• Okta Multiple Users Failing To Authenticate From Ip
• Okta Successful Single Factor Authentication
• Okta Unauthorized Access to Application
• O365 Compliance Content Search Exported
• O365 Compliance Content Search Started
• O365 Elevated Mailbox Permission Assigned
• O365 Mailbox Email Forwarding Enabled
• O365 Mailbox Folder Read Permission Assigned
• O365 Mailbox Folder Read Permission Granted
• O365 New Email Forwarding Rule Created
• O365 New Email Forwarding Rule Enabled
• O365 New Forwarding Mailflow Rule Created
• O365 Security And Compliance Alert Triggered
• Okta User Logins From Multiple Cities
• Windows AppLocker Block Events
• Windows AppLocker Execution from Uncommon Locations
• Windows AppLocker Privilege Escalation via Unauthorized Bypass
• Windows AppLocker Rare Application Launch Detection
• Windows Unsigned MS DLL Side-Loading
• Zscaler Adware Activities Threat Blocked
• Zscaler Behavior Analysis Threat Blocked
• Zscaler CryptoMiner Downloaded Threat Blocked
• Zscaler Employment Search Web Activity
• Zscaler Exploit Threat Blocked
• Zscaler Legal Liability Threat Blocked
• Zscaler Malware Activity Threat Blocked
• Zscaler Phishing Activity Threat Blocked
• Zscaler Potentially Abused File Download
• Zscaler Privacy Risk Destinations Threat Blocked
• Zscaler Scam Destinations Threat Blocked
• Zscaler Virus Download threat blocked

Updated Analytics

• Email Attachments With Lots Of Spaces
• Okta MFA Exhaustion Hunt
• Okta Mismatch Between Source and Response for Verify Push Request
• Okta Multiple Failed Requests to Access Applications
• Okta New API Token Created
• Okta New Device Enrolled on Account
• Okta Phishing Detection with FastPass Origin Check
• Okta Risk Threshold Exceeded
• Okta Suspicious Activity Reported
• Okta Suspicious Use of a Session Cookie
• Okta ThreatInsight Threat Detected
• Suspicious Email Attachment Extensions
• O365 Admin Consent Bypassed by Service Principal
• O365 ApplicationImpersonation Role Assigned
• O365 Mailbox Inbox Folder Shared with All Users
• O365 PST export alert
• Prohibited Software On Endpoint
• Detect Use of cmd exe to Launch Script Interpreters
• Detection of tools built by NirSoft
• Excessive File Deletion In WinDefender Folder(External Contributor : @nterl0k )
• Linux Account Manipulation Of SSH Config and Keys
• Linux Deletion of SSL Certificate
• Malicious Powershell Executed As A Service
• Registry Keys Used For Persistence
• SchCache Change By App Connect And Create ADSI Object
• Suspicious Regsvr32 Register Suspicious Path
• Windows Data Destruction Recursive Exec Files Deletion (External Contributor : @nterl0k )
• Windows High File Deletion Frequency External Contributor : @nterl0k )
• Windows MSHTA Writing to World Writable Path
• Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
• SMB Traffic Spike
• SMB Traffic Spike - MLTK
• Web Remote ShellServlet Access

Macros Added

• applocker
• zscaler_proxy

Macros Updated

• okta

Lookups Added

• applockereventcodes

Other Updates

• Added a new dashboard ESCU - AppLocker, Navigate to your Dashboards and search for "ESCU - AppLocker" to assist with auditing and monitoring Windows AppLocker events for your endpoints (Splunk Enterprise 9.x.x version and above only)

Release notes

New Analytics Story

• APT29 Diplomatic Deceptions with WINELOADER
• Outlook RCE CVE-2024-21378

Updated Analytics Story

New Analytics

• Windows InProcServer32 New Outlook Form
• Windows MSHTA Writing to World Writable Path
• Windows New InProcServer32 Added
• Windows Phishing Outlook Drop Dll In FORM Dir
• Windows SqlWriter SQLDumper DLL Sideload

Updated Analytics

• CertUtil With Decode Argument

New Analytics

• Splunk Authentication Token Exposure in Debug Log

Updated Analytics

• Splunk Command and Scripting Interpreter Risky Commands
• ASL AWS Concurrent Sessions From Different Ips
• Gsuite Outbound Email With Attachment To External Domain
• Detect Excessive Account Lockouts From Endpoint
• Detect Excessive User Account Lockouts
• Short Lived Windows Accounts
• Windows Create Local Account

Playbooks Updated

• Active Directory Enable Account Dispatch

Updated Analytics Story

• Cyclops Blink
• Sneaky Active Directory Persistence Tricks

New Analytics

• Windows Credential Access From Browser Password Store
• Windows Known Abused DLL Created (External Contributor : @nterl0k )

Updated Analytics

• Okta User Logins From Multiple Cities
• Path traversal SPL injection
• Splunk User Enumeration Attempt
• AWS Concurrent Sessions From Different Ips
• AWS Credential Access RDS Password reset
• Kubernetes Nginx Ingress LFI
• Kubernetes Nginx Ingress RFI
• Kubernetes Previously Unseen Process
• O365 Multiple Users Failing To Authenticate From Ip
• Detect AzureHound Command-Line Arguments
• Detect AzureHound File Modifications
• Detect SharpHound Command-Line Arguments
• Detect SharpHound File Modifications
• Detect SharpHound Usage
• Disabling Windows Local Security Authority Defences via Registry
• Linux Iptables Firewall Modification
• Linux Kworker Process In Writable Process Path
• Linux Stdout Redirection To Dev Null File
• Network Traffic to Active Directory Web Services Protocol
• System Information Discovery Detection
• Windows SOAPHound Binary Execution

Lookups Added

• browser_app_list
• hijacklibs_loaded (External Contributor : @nterl0k )

Playbooks Updated

• All playbook yamls updated to use a list of D3FEND IDs

New Analytics Story

• JetBrains TeamCity Vulnerabilities

Updated Analytics Story

New Analytics

• Cloud Security Groups Modifications by User
• Detect Remote Access Software Usage File(External Contributor : @nterl0k )
• Detect Remote Access Software Usage FileInfo(External Contributor : @nterl0k )
• Detect Remote Access Software Usage Process(External Contributor : @nterl0k )
• Windows Multiple Account Passwords Changed
• Windows Multiple Accounts Deleted
• Windows Multiple Accounts Disabled
• Detect Remote Access Software Usage DNS(External Contributor : @nterl0k )
• Detect Remote Access Software Usage Traffic(External Contributor : @nterl0k )
• High Volume of Bytes Out to Url
• Detect Remote Access Software Usage URL(External Contributor : @nterl0k )
• JetBrains TeamCity Authentication Bypass CVE-2024-27198
• JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
• JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
• Nginx ConnectWise ScreenConnect Authentication Bypass

Updated Analytics

• AWS IAM Delete Policy (External Contributor: @ep3p )
• O365 Multiple Users Failing To Authenticate From Ip
• ConnectWise ScreenConnect Authentication Bypass
• JetBrains TeamCity RCE Attempt

Macros Added

• nginx_access_logs
• suricata

Macros Updated

Lookups Added

Lookups Updated

• remote_access_software

Playbooks Added

• G Suite for Gmail Message Eviction
• G Suite for Gmail Search and Purge
• MS Graph for Office 365 Message Eviction
• MS Graph for Office 365 Message Identifier Activity Analysis
• MS Graph for Office 365 Message Restore
• MS Graph for Office365 Search and Purge
• MS Graph for Office365 Search and Restore

Playbooks Updated

Other Updates

• Added a new script and a CI job to automatically upload the package to Splunkbase using a service account
• Create SSA-Content-latest.tar.gz in the generate_ba CI job

Release notes for ESCU v4.25.0

New Analytics Story

• ConnectWise ScreenConnect Vulnerabilities
• Snake Keylogger
• WordPress Vulnerabilities

Updated Analytics Story

New Analytics

• ConnectWise ScreenConnect Path Traversal
• ConnectWise ScreenConnect Path Traversal Windows SACL
• Windows Non Discord App Access Discord LevelDB
• Windows Time Based Evasion via Choice Exec
• Windows Unsecured Outlook Credentials Access In Registry
• ConnectWise ScreenConnect Authentication Bypass
• WordPress Bricks Builder plugin RCE

Updated Analytics

• Detect Regasm Spawning a Process
• Download Files Using Telegram
• Executables Or Script Creation In Suspicious Path
• High Process Termination Frequency
• Linux Edit Cron Table Parameter
• Non Chrome Process Accessing Chrome Default Dir
• Non Firefox Process Access Firefox Profile Dir
• Processes launching netsh
• Registry Keys Used For Persistence
• Suspicious Driver Loaded Path
• Suspicious Process DNS Query Known Abuse Web Services
• Suspicious Process Executed From Container File
• Windows Credentials from Password Stores Chrome LocalState Access
• Windows Credentials from Password Stores Chrome Login Data Access
• Windows File Transfer Protocol In Non-Common Process Path
• Windows Gather Victim Network Info Through Ip Check Web Services
• Windows Phishing PDF File Executes URL Link
• Windows System Network Connections Discovery Netsh
• Windows User Execution Malicious URL Shortcut File
• WinEvent Scheduled Task Created Within Public Path

Other Updates

• Updated contentctl to output accurate providing technologies in savedsearches.conf

Release notes for ESCUv4.24.0

New Analytics Story

• Office 365 Collection Techniques
• Phemedrone Stealer

Updated Analytics Story

• NOBELIUM Group

New Analytics

• Azure AD Admin Consent Bypassed by Service Principal
• Azure AD FullAccessAsApp Permission Assigned
• Azure AD Multiple Service Principals Created by SP
• Azure AD Multiple Service Principals Created by User
• Azure AD Privileged Graph API Permission Assigned
• Azure AD Service Principal Authentication
• O365 Admin Consent Bypassed by Service Principal
• O365 FullAccessAsApp Permission Assigned
• O365 Multiple Mailboxes Accessed via API
• O365 Multiple Service Principals Created by SP
• O365 Multiple Service Principals Created by User
• O365 OAuth App Mailbox Access via EWS
• O365 OAuth App Mailbox Access via Graph API
• O365 Privileged Graph API Permission Assigned
• Network Traffic to Active Directory Web Services Protocol
• Windows Privilege Escalation Suspicious Process Elevation (External Contributor : @nterl0k )
• Windows Privilege Escalation System Process Without System Parent(External Contributor : @nterl0k )
• Windows Privilege Escalation User Process Spawn System Process(External Contributor : @nterl0k )
• Windows SOAPHound Binary Execution
• Ivanti Connect Secure SSRF in SAML Component

Updated Analytics

• Splunk unnecessary file extensions allowed by lookup table uploads
• Azure AD High Number Of Failed Authentications From Ip
• Azure AD Multi-Source Failed Authentications Spike
• Azure AD Privileged Role Assigned
• Azure AD Privileged Role Assigned to Service Principal
• Azure AD Service Principal Created
• Azure AD Service Principal New Client Credentials
• Azure AD Service Principal Owner Added
• Azure AD Tenant Wide Admin Consent Granted
• O365 Added Service Principal
• O365 Application Registration Owner Added
• O365 ApplicationImpersonation Role Assigned
• O365 Mailbox Inbox Folder Shared with All Users
• O365 Mailbox Read Access Granted to Application
• O365 Multi-Source Failed Authentications Spike
• O365 Multiple Users Failing To Authenticate From Ip
• O365 Service Principal New Client Credentials
• O365 Suspicious Admin Email Forwarding
• O365 Suspicious Rights Delegation
• O365 Suspicious User Email Forwarding
• O365 Tenant Wide Admin Consent Granted
• Correlation by Repository and Risk
• Correlation by User and Risk
• Any Powershell DownloadFile
• Any Powershell DownloadString
• Attacker Tools On Endpoint
• Create local admin accounts using net exe
• Create Remote Thread In Shell Application
• Creation of Shadow Copy
• Detect Certify Command Line Arguments
• Detect Certify With PowerShell Script Block Logging
• Detect Excessive Account Lockouts From Endpoint
• Detect New Local Admin account
• Detect Regasm with Network Connection
• Detect Regsvcs with Network Connection
• Detect Use of cmd exe to Launch Script Interpreters
• Disable Show Hidden Files
• Disable Windows SmartScreen Protection
• Disabling ControlPanel
• Disabling SystemRestore In Registry
• Download Files Using Telegram
• Elevated Group Discovery with PowerView
• Executable File Written in Administrative SMB Share
• Executables Or Script Creation In Suspicious Path
• Execute Javascript With Jscript COM CLSID
• Execution of File with Multiple Extensions
• Extraction of Registry Hives
• Hiding Files And Directories With Attrib exe
• Linux Account Manipulation Of SSH Config and Keys
• Linux Deletion Of Cron Jobs
• Linux Deletion Of Init Daemon Script
• Linux Deletion Of Services
• Linux Deletion of SSL Certificate
• Linux High Frequency Of File Deletion In Boot Folder
• Linux High Frequency Of File Deletion In Etc Folder
• MacOS LOLbin
• MacOS plutil
• Network Discovery Using Route Windows App
• Non Chrome Process Accessing Chrome Default Dir
• Non Firefox Process Access Firefox Profile Dir
• Overwriting Accessibility Binaries
• PowerShell - Connect To Internet With Hidden Window
• Rundll32 Process Creating Exe Dll Files
• Scheduled Task Deleted Or Created via CMD
• Schtasks scheduling job on remote system
• Spoolsv Spawning Rundll32
• Spoolsv Writing a DLL
• Spoolsv Writing a DLL - Sysmon
• Suspicious Driver Loaded Path
• Suspicious mshta child process
• Suspicious Process DNS Query Known Abuse Web Services
• Suspicious Process File Path
• System Processes Run From Unexpected Locations
• Trickbot Named Pipe
• Windows Account Discovery for None Disable User Account
• Windows AD Replication Request Initiated by User Account
• Windows AD Replication Request Initiated from Unsanctioned Location
• Windows Admin Permission Discovery
• Windows Alternate DataStream - Base64 Content
• Windows Alternate DataStream - Executable Content
• Windows Credentials from Password Stores Chrome Extension Access
• Windows Credentials from Password Stores Chrome LocalState Access
• Windows Credentials from Password Stores Chrome Login Data Access
• Windows Gather Victim Network Info Through Ip Check Web Services
• Windows Process Injection Remote Thread
• Windows Registry Payload Injection
• Windows Replication Through Removable Media
• Windows Rundll32 WebDav With Network Connection
• Windows Scheduled Task Created Via XML
• Windows Scheduled Task Service Spawned Shell
• Windows Security Account Manager Stopped
• Windows Suspect Process With Authentication Traffic
• Windows UAC Bypass Suspicious Child Process
• Windows UAC Bypass Suspicious Escalation Behavior
• Windows WinLogon with Public Network Connection
• WinEvent Scheduled Task Created Within Public Path
• Detect DGA domains using pretrained model in DSDL
• DNS Query Length With High Standard Deviation
• Multiple Archive Files Http Post Traffic
• Plain HTTP POST Exfiltrated Data

Playbooks Updated

• Splunk Automated Email Investigation

Other Updates

Release notes for ESCU v4.23.0

New Analytics Story

• Jenkins Server Vulnerabilities

Updated Analytics Story

New Analytics

• Splunk Information Disclosure in Splunk Add-on Builder
• Kubernetes Anomalous Inbound Network Activity from Process
• Kubernetes Anomalous Outbound Network Activity from Process
• Kubernetes Anomalous Traffic on Network Edge
• Kubernetes Create or Update Privileged Pod
• Kubernetes Cron Job Creation
• Kubernetes DaemonSet Deployed
• Kubernetes Falco Shell Spawned
• Kubernetes newly seen TCP edge
• Kubernetes newly seen UDP edge
• Kubernetes Node Port Creation
• Kubernetes Pod Created in Default Namespace
• Kubernetes Pod With Host Network Attachment
• Kubernetes Scanning by Unauthenticated IP Address
• Windows Impair Defense Change Win Defender Health Check Intervals
• Windows Impair Defense Change Win Defender Quick Scan Interval
• Windows Impair Defense Change Win Defender Throttle Rate
• Windows Impair Defense Change Win Defender Tracing Level
• Windows Impair Defense Configure App Install Control
• Windows Impair Defense Define Win Defender Threat Action
• Windows Impair Defense Disable Controlled Folder Access
• Windows Impair Defense Disable Defender Firewall And Network
• Windows Impair Defense Disable Defender Protocol Recognition
• Windows Impair Defense Disable PUA Protection
• Windows Impair Defense Disable Realtime Signature Delivery
• Windows Impair Defense Disable Web Evaluation
• Windows Impair Defense Disable Win Defender App Guard
• Windows Impair Defense Disable Win Defender Compute File Hashes
• Windows Impair Defense Disable Win Defender Gen reports
• Windows Impair Defense Disable Win Defender Network Protection
• Windows Impair Defense Disable Win Defender Report Infection
• Windows Impair Defense Disable Win Defender Scan On Update
• Windows Impair Defense Disable Win Defender Signature Retirement
• Windows Impair Defense Overide Win Defender Phishing Filter
• Windows Impair Defense Override SmartScreen Prompt
• Windows Impair Defense Set Win Defender Smart Screen Level To Warn
• Windows MsiExec HideWindow Rundll32 Execution
• Windows Process Injection In Non-Service SearchIndexer
• Jenkins Arbitrary File Read CVE-2024-23897

Updated Analytics

• Kubernetes Access Scanning
• Kubernetes Anomalous Inbound Outbound Network IO
• Kubernetes Anomalous Inbound to Outbound Network IO Ratio
• Kubernetes AWS detect suspicious kubectl calls
• Kubernetes Previously Unseen Container Image Name
• Kubernetes Previously Unseen Process
• Kubernetes Process Running From New Path
• Kubernetes Process with Anomalous Resource Utilisation
• Kubernetes Process with Resource Ratio Anomalies
• Kubernetes Shell Running on Worker Node
• Kubernetes Shell Running on Worker Node with CPU Activity
• Disable Windows SmartScreen Protection
• Linux Service Started Or Enabled
• Unknown Process Using The Kerberos Protocol
• Windows Excessive Disabled Services Event

Other Updates

• Added a new input macro sourcetype="kube:container:falco"

Playbook Updates

• Splunk Attack Analyzer Dynamic Analysis
• Splunk Automated Email Investigation
• Splunk Identifier Activity Analysis
• Splunk Message Identifier Activity Analysis

New Analytics Story

• Confluence Data Center and Confluence Server Vulnerabilities

New Analytics

• Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527

Updated Analytics

• Confluence Data Center and Server Privilege Escalation
• Confluence Unauthenticated Remote Code Execution CVE-2022-26134
• Ivanti Connect Secure Command Injection Attempts

Release notes for ESCUv4.21.0

New Analytics Story

Updated Analytics Story

• Splunk Vulnerabilities

New Analytics

• Splunk Enterprise KV Store Incorrect Authorization
• Splunk Enterprise Windows Deserialization File Partition

Updated Analytics

• Splunk risky Command Abuse disclosed february 2023

Other Updates

• Updated splunk_risky_command lookup with a new splunk_risky_command_20240122.csv file